Google’s expanded initiative, called the Google Play Security Reward Program, offers rewards to developers who uncover issues in apps on the Play Store. Previously, the program only covered a set list of eight top apps, but now any app from the Play Store with more than 100 million installs is fair game. If developers discover and disclose a vulnerability in an app to Google, they can claim bounties of up to $30,000.
Typical bug bounty programs are run by companies to offer rewards to people who find security issues within the company’s own software. This program is unusual in that it offers bounties for finding vulnerabilities in other company’s apps as well.
“This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps,” a Google spokesperson said. If an app developer has its own bug bounty program, bugs can be claimed from both the app developers and Google.
In addition, Google is launching a Developer Data Protection Reward Program to hunt down “data abuse issues” in Android apps, OAuth projects and Chrome extensions. This means findings apps which are using or selling users’ data without user consent. If a data abusing app or extension is reported to the program, it will be removed from the Play Store or the Chrome Web Store and the bug hunter will receive a payment of up to $50,000.